Traefik, when configured to handle HTTPS, can automatically redirect all incoming HTTP requests to their HTTPS equivalents, ensuring all traffic is encrypted.
Let’s see Traefik in action with a simple setup. Imagine we have a web service running on localhost:8080 that we want to expose securely.
First, our Traefik static configuration (traefik.yml) needs to enable the dashboard (for monitoring) and specify the entry points for HTTP and HTTPS.
# traefik.yml
log:
level: INFO
api:
dashboard: true
insecure: true # For simplicity in this example; use authentication in production.
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: "https"
scheme: "https"
https:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
Notice the redirections section under the http entry point. This is the core of the redirect. It tells Traefik that any request hitting the http entry point should be redirected to the https entry point using the https scheme.
Now, let’s define our service using Docker Compose. We’ll use a simple whoami container as our backend service and tell Traefik to route traffic to it. We’ll also need a Traefik container.
# docker-compose.yml
version: '3.7'
services:
traefik:
image: traefik:v2.9
command:
- "--config.defaultentrypoints=http,https"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--api.dashboard=true"
- "--api.insecure=true" # Again, for demo purposes.
- "--log.level=INFO"
ports:
- "80:80"
- "443:443"
- "8080:8080" # For Traefik dashboard
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/etc/traefik/traefik.yml:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`traefik.localhost`)"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.middlewares=redirect-to-https" # This is key!
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true" # Use 301 for permanent redirect
whoami:
image: traefik/whoami
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.localhost`)"
- "traefik.http.routers.whoami.entrypoints=http" # Initially listen on HTTP
- "traefik.http.routers.whoami.middlewares=redirect-to-https" # Apply the redirect middleware
- "traefik.http.services.whoami.loadbalancer.server.port=80"
In this docker-compose.yml, we’re also defining the redirect as a middleware. This is a more granular approach. We apply this redirect-to-https middleware to both the traefik router itself and the whoami router. The middleware is configured to redirect to the https scheme permanently (HTTP 301).
To make this work, you’ll need to have Docker and Docker Compose installed. Save the traefik.yml and docker-compose.yml files in the same directory, then run:
docker-compose up -d
Now, if you try to access http://whoami.localhost in your browser, you’ll be automatically redirected to https://whoami.localhost. If you try to access http://traefik.localhost, it will also redirect. For this to actually work over HTTPS, you would need to configure TLS certificates for Traefik, which is a separate but crucial step for production environments. Traefik can automate this using Let’s Encrypt.
The mental model here is Traefik acting as a smart reverse proxy. It listens on defined entryPoints (like port 80 for HTTP and 443 for HTTPS). When a request arrives, Traefik checks its routing rules. If a router is configured to use a redirectscheme middleware, Traefik doesn’t just forward the request; it sends back an HTTP redirect response to the client. The client (your browser) then makes a new request to the URL specified in the redirect. The permanent=true flag ensures the browser caches this redirect, so subsequent requests to the HTTP version will automatically try the HTTPS version without even hitting Traefik again for the initial HTTP request.
The most surprising thing about this redirect mechanism is that Traefik itself doesn’t directly handle the HTTPS connection in this specific redirect setup; it instructs the client’s browser to initiate a new HTTPS connection. The to: "https" or redirectscheme.scheme: "https" directive tells Traefik to generate a Location header in the HTTP response, pointing to the equivalent URL but with https:// as the scheme. This means your backend service (whoami in this case) doesn’t even need to be aware of HTTPS; Traefik handles the transition from the insecure world to the secure one.
The next concept to explore is how to actually enable TLS on the https entry point so that the redirected requests can be fulfilled securely.